What does the integration do in Leapsome?
What does the integration do in Leapsome?
Once set up, our integration with Entra ID (formerly Azure Active Directory) allows you to automate the user management and/or to use Single Sign-On in Leapsome:
-
Create new users in Leapsome
When the next sync runs the following users and teams (groups) are added to Leapsome:- Users that were added to the application
- User that were added to a Group that already was added to the application
- Users that are part of a new group that was added to the application (sub-group users are not considered)
-
Update users
Changes you make to a user in Entra ID will automatically be reflected in Leapsome within 40 minutes -
Deactivate and reactivate users
Leapsome will automatically deactivate users, whose status is not active in Entra ID or re-activate them if they had been deactivated before -
Create teams
Leapsome will create new teams for every group in Entra ID, that has not yet been set up manually in Leapsome -
Assign users to teams
Leapsome will automatically assign users to teams, based on the groups a user belongs to in Entra ID -
Create levels and assign users to them (optional)
If you include your Entra ID level information in the synchronization, these levels will automatically be created in Leapsome and assigned to the respective users -
Enable Single Sign-On (SSO)
Learn more about this in this article
Importantly, Entra ID will be treated as the source of truth: Any changes you make in Active Directory will be reflected in Leapsome, even if that means overriding changes made in Leapsome. Leapsome will not make any changes in Active Directory data. Please note, that even with the active integration, you can still add additional teams manually in Leapsome. These teams will not be overwritten by the integration.
Just a note: If you already created teams manually in Leapsome before switching on the integration, please make sure that the teams you have in Leapsome are spelled exactly like in your HRIS (take into account spaces, commas, etc). Otherwise, the integration may add duplicate teams with a slightly different spelling to Leapsome.
Which attributes can be synchronized?
When setting up the integration, you can choose which attributes should be synchronized with Leapsome. This table shows you, how attributes in Entra ID will be reflected in Leapsome and give you an overview of the mandatory and optional fields.
Information from Entra ID, that can be synchronized using the integration include:
- First Name
- Last Name
- Position/Job title
- Team (via Groups)
- Department
- Manager
- Level
- Division
- Cost center
- Location
- Gender
- Start Date
- End Date
- Birthday
- Photo
- Custom attributes (reflected as custom attributes in Leapsome)
Important notes on attributes
Provisioning the User Status with "IsSoftDeleted"-Attribute
The attribute IsSoftDeleted will determine whether a user in Entra ID is active or not. In consequence, the user will be (de-) activated in Leapsome. IsSoftDeleted is often part of the default mappings for an application. It is not recommended to remove the IsSoftDeleted attribute from your attribute mappings. IsSoftdeleted can be true in one of four scenarios:
- the user is out of scope due to being unassigned from the application
- the user is out of scope due to not meeting a scoping filter
- the user has been soft deleted in Entra ID
- the property AccountEnabled is set to false on the user
Once one of these cases occurs, the respective User will be treated as "active=false", and in consequence, Leapsome will deactivate this user's account.
Provisioning of Null attributes
Entra ID currently can't provision null attributes. If an attribute is null on the user object, it will be skipped. If you for example used to provision the Manager via the integration, but now delete the manager information in Entra ID, the Manager value becomes a null attribute. This will then not be included in the next synchronization, which implies that the old manager information will remain in Leapsome and has to be removed manually in Leapsome.
Setting up the integration
Before you get started
- Please make sure that the person setting up the integration has Admin rights in Leapsome as well as the "Global Administrator" role in Entra ID. You can give Leapsome Admin rights to the person helping you with the setup by editing their platform role in the 'Employees' section
- User provisioning through SCIM 2.0 is only available through the hosted AD version called Entra ID. If you are currently using an on-premise Active Directory solution it will need to first be configured to sync its data to Entra ID using Azure AD Connect, as described in this article.
- To integrate with Leapsome, you will have to set up a new application in Entra ID. There already is a gallery app called 'Leapsome' available in Entra ID. Please do not use the gallery app, as it does not support the advanced customizations that may be needed for your use case, like the expanded configuration possibilities with attribute mappings for example
- If you want to synchronize custom attributes from Entra ID with Leapsome, please make sure to create a corresponding custom attribute in Leapsome first, as you will need this attributes' ID to set up the synchronization
Create new application
- In your Entra ID, go to 'Enterprise Applications'
- Select 'New application'
- Choose 'Non-gallery application' / 'Create your own application'
- You will be asked for a name, write 'Leapsome'
- Below the name select 'Integrate any other application you don't find in the gallery (Non-gallery)' as the reason for this custom application
- Click 'Create'
- The Leapsome application, that you just created can now be used for both user provisioning and Single Sign-On (SSO).
Configure User Provisioning
- Go to the 'Provisioning' tab in your new application
- Click 'Get Started'
- From the 'Provisioning mode' dropdown, select 'Automatic provisioning'
- For the tenant URL, enter "https://www.leapsome.com/api/scim"
- To obtain your secret token, enter your Leapsome administrator account, go to your 'Settings' > 'Integrations', select 'HRIS Integrations', then choose the 'SCIM API' tab, and click 'Update & Synchronize'. Now a SCIM Authentication Token should be displayed in Leapsome.
- Enter your new secret token on the Active Directory Application page and click 'Test connection'; a success message should appear.
- Click 'Save' at the top of your screen.
Configure Mapping
-
In the Provisioning Tab in Entra ID, click on 'Edit Attribute mappings'
1. Configure Group Mapping
-
On the next page's 'Mappings' section, click on 'Provision Azure Active Directory Groups'
-
Adjust your Group mappings so that the result matches the following screenshot (this should be set by default, any other mappings should be deleted):
-
Save your changes
2. Configure User Mapping
- Similarly, in the 'Mappings' section, click on 'Provision Azure Active Directory Users'
-
Adjust your User mappings so that the result matches this table. Any other mappings should be deleted.
- Please make sure to include all attributes marked as 'mandatory' to your mapping
- If desired, you can also include more (custom) attributes to the mapping. Read more about this in the 'Optional Settings' section of this article
- If you cannot select a target attribute as shown in the table, you'll need to edit the attribute list for your application
- Below the mapping table in Entra ID click on 'Show advanced options'
- Then, click on 'Edit attribute list for customappsso' to create the Leapsome attributes you want to use in your mapping
- Save your changes
Assigning users and groups
- Go to the 'Users and groups' tabs
- Add all users/groups that should be present on Leapsome
- 'Groups' will appear as 'Teams' on Leapsome
- AD users and AD group members will be created as users on Leapsome
(for security groups only, no nested groups)
Provisioning status
- In Entra ID, make sure that within 'Provisioning' > 'Settings', the scope is set to 'Sync only assigned users and groups' to prevent all of your users in Entra ID from syncing with Leapsome.
- Switch Provisioning status to 'On'
- Save your changes
Finalize the synchronization
For the initial user provisioning, 2 forced syncs are recommended: the first sync will create the users and the second sync will update the reporting lines.
That's it - you're all set. Please get in touch with our support team if you have any questions!
Optional settings
Automatically Invite Users
In the integration settings in Leapsome, if you check the box 'Automatically send Leapsome invite emails to provisioned employees', if you want users to be notified via email, right after the integration has created an account for them in Leapsome. If you don't check this box, you can invite your users at a later point in time by visiting the 'Employees' Tab and clicking on 'Actions' > 'Send Invites'.
Synchronizing Custom Attributes
Aside from the attributes listed in the attribute mapping overview as 'mandatory', you are free to also include custom attributes to the synchronization. To do this, you have to first set up the corresponding attribute in Leapsome.
- Go to 'Employees' and click on 'Custom Attributes'. In the Pop-up window, you can configure the custom attribute according to your needs and can also define which format its values can have.
- Once you've set up your attribute and click on 'edit', you can see the attribute's SCIM ID. This will be needed for your mapping in Entra ID
- In Entra ID, add this attribute to your mapping by selecting a source value from your AD and entering the corresponding value from Leapsome.
- This will always have the form of a prefix + the SCIM ID of the attribute: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.YOUR_CUSTOM_ATTRIBUTE_ID
Exclude users from being synchronized
If you want to exclude certain groups of people from the synchronization, this can be done in Entra ID by editing the Users & Groups assigned to the enterprise application or through additional scoping filters.
Frequently asked questions
What will happen with existing teams that I have manually set up in Leapsome?
Teams from Entra ID will be added to your manually created teams. Once the synchronization is up and running, Entra ID will automatically update team memberships for teams initially set up through Entra ID.
I have some users with two accounts in Leapsome, why is that?
Most likely, the external ID is not part of the synchronization and you have changed the email address in Entra ID. If no external ID is provisioned, Leapsome will identify users by their email address. If this email now changes, Leapsome will treat this new email as a new user and create an account for them. Adding the "externalID" attribute to your mapping in Entra ID will prevent this.
What is the difference between an External user ID and a Leapsome ID?
The Leapsome ID is a unique user ID assigned to any account created within the Leapsome application. The external ID is an ID that has been sent to Leapsome (or automated via HRIS integration) which represents the unique user ID in your main user management system. This ensures the sync of the correct user accounts in cases like email changes, etc. as the external ID remains the same in your system while an email can change. It is optionally attached to a Leapsome account for identification.
Can I delete users in Leapsome through the integration?
No, users can only be deactivated automatically. To delete a user, you have to do this manually in the 'Employees' section of Leapsome
Can I edit the synchronization frequency?
The synchronization frequency is fixed. It will run approximately every 40 minutes.
I cannot find the attributes listed as 'target attributes' in Entra ID. How can I add them to my view?
In some cases, the target attributes that will be used for the attribute mapping are not showing as an option by default. In these cases, you have to set them up first, before using them in the mapping. The section 'Configure Mapping' > '2. Configure User Mapping' describes how to do that.
It seems like the 'manager' attribute cannot be updated. How can I fix this?
If you are setting up the integration for the first time, you may need to perform two full synchronization runs, in order for the manager to show up in Leapsome. The first run will create the user profiles, and the second one will create the reporting lines.
Please also note, that managers will only be assigned, if that manager's profile has already been created in Leapsome. Please check if the managers that are missing in Leapsome are in scope for provisioning.
Which 'Email' should be used for the user mapping?
We recommend using the userPrincipalName attribute, but hypothetically also all other filelds that contain an email adress can work. If you want to use SSO or integrations (Teams, Slack or Outlook), please make sure the email you use is the same one used in the other platforms, so that we can match accounts using this address.
How can I prevent Leapsome from creating a team from each group I assign to the App in Entra ID?
Once you assign users to the Leapsome App in Entra ID, Leapsome will read the group memberships of these users and create 'teams' for each of the groups. However, there may be groups that are only used for administrative purposes (e.g. 'Leapsome Pilot', 'Leapsome Test Group', etc.). To prevent these groups from being shown as teams, just set up a scoping filter to exclude the group name from being submitted to Leapsome.
Such a scoping filter can be defined as e.g. 'objectId‘ NOT EQUALS <objectId of the group which you don’t want to appear as a team in Leapsome>. Learn more about scoping filters here.
I want to synchronize photos from Entra ID with Leapsome. How does the photos attribute need to be formatted?
To synchronize photos from Entra ID with Leapsome, we require a string containing the full URL to the user's picture (including prefixes such as 'https://'). If you do not have an attribute in Entra ID that contains the picture URL of your users, please set this up first. You can get in touch with Microsoft to learn how to do this.
Is there additional support available?
Yes! Have a look at this Microsoft support article or get in touch with our support team via the blue 'Help' button in Leapsome if you need any help. In case some attributes are not syncing correctly, please share a screenshot of your user mapping as well as the logs of a 'Provisioning on demand' run with our support team.